Noted. I did wonder if it applied to FreeBSD as it wasn't mentioned in the man page, but I just tried it to see and it appeared to work.
Changed to 'bce0' but no difference to the TLS (or lack thereof) behaviour. Regards, Jason On 30 January 2017 at 16:29, Dima Panov <[email protected]> wrote: > 30.01.17 20:28, Jason Mann пишет: > > Here it is: > > > > --- smtpd.conf --- > > ca mail.mydomain.net <http://mail.mydomain.net> certificate > "/usr/local/etc/letsencrypt/archive/mydomain.net/chain1.pem < > http://mydomain.net/chain1.pem>" > > pki mail.mydomain.net <http://mail.mydomain.net> certificate > "/usr/local/etc/letsencrypt/archive/mydomain.net/cert1.pem < > http://mydomain.net/cert1.pem>" > > pki mail.mydomain.net <http://mail.mydomain.net> key > "/usr/local/etc/letsencrypt/archive/mydomain.net/privkey1.pem < > http://mydomain.net/privkey1.pem>" > > pki mail.mydomain.net <http://mail.mydomain.net> dhparams > "/etc/ssl/dh2048.pem" > > > > listen on lo0 hostname localhost > > > > listen on egress tls-require hostname mail.mydomain.net < > http://mail.mydomain.net> > > > > You shouldn't use 'egress' macro for interfaces on FreeBSD, it's an > OpenBSD feature. > Describe it with a real interfaces names. > > listen on lo0 port 25 filter all tls pki my.server.tld ca my.server.tld > received-auth > listen on em0 port 25 filter all tls pki my.server.tld ca my.server.tld > received-auth > listen on lo0 port 465 filter all smtps pki my.server.tld ca my.server.tld > received-auth > listen on em0 port 465 filter all smtps pki my.server.tld ca my.server.tld > received-auth > listen on lo0 port 587 filter sub tls-require pki my.server.tld ca > my.server.tld received-auth > listen on em0 port 587 filter sub tls-require pki my.server.tld ca > my.server.tld received-auth > > > table aliases db:/usr/local/etc/mail/aliases.db > > table vdomains file:/usr/local/etc/mail/virtualdomains > > table vusers file:/usr/local/etc/mail/virtualusers > > > > accept from any for domain <vdomains> virtual <vusers> deliver to maildir > > accept for local alias <aliases> deliver to maildir > > accept for any relay > > --- end smtpd.conf --- > > > > virtualdomains just lists three domains I own, while virtualusers maps > jason@ those domains to my local user. > > > > Thanks. > > > > Jason > > > > On 30 January 2017 at 10:24, Gilles Chehade <[email protected] <mailto: > [email protected]>> wrote: > > > > On Fri, Jan 27, 2017 at 02:41:47PM +0000, Jason Mann wrote: > > > Hello list. > > > > > > I'm trying to configure OpenSMTPD 5.9.2 on a FreeBSD server but > I'm seeing > > > anomalous behaviour with one of my listen directives. > > > > > > The directive in question is: > > > > > > listen on egress tls-require hostname mail.mydomain.net < > http://mail.mydomain.net> > > > > > > My only other listen directive is usual localhost one. > > > > > > > can you show your full config please ? > > > > > > > The smtpd.conf man page states: "tls-require may be used to force > clients > > > to establish a secure connection before being allowed to start an > SMTP > > > transaction". > > > > > > I ran a telnet test against the server to see how the forcing of > TLS takes > > > place, but it didn't happen. I was able to manually submit a > message to > > > OpenSMTPD without TLS as follows: > > > > > > $ telnet a.mx.mydomain.net <http://a.mx.mydomain.net> 25 > > > Trying xxxx:xxx:xx:xxx::x:xxxx... > > > Connected to a.mx.mydomain.net <http://a.mx.mydomain.net>. > > > Escape character is '^]'. > > > 220 mail.mydomain.net <http://mail.mydomain.net> ESMTP OpenSMTPD > > > HELO jmann-mbp > > > 250 mail.mydomain.net <http://mail.mydomain.net> Hello jmann-mbp > > > [IPv6:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx], > > > pleased to meet you > > > MAIL FROM:<jmann@jmann-mbp> > > > 250 2.0.0: Ok > > > RCPT TO:<[email protected] <mailto:[email protected]>> > > > 250 2.1.5 Destination address valid: Recipient ok > > > DATA > > > 354 Enter mail, end with "." on a line by itself > > > From: Jason Mann <jmann@jmann-mbp> > > > To: Jason Mann <[email protected] <mailto:[email protected]>> > > > Subject: Test 4 > > > > > > This is a test. > > > . > > > 250 2.0.0: f20f3998 Message accepted for delivery > > > QUIT > > > 221 2.0.0: Bye > > > > > > What may be wrong here? > > > > > > Kind regards, > > > > > > Jason > > > > -- > > Gilles Chehade > > > > https://www.poolp.org > @poolpOrg > > > > > > > -- > Dima Panov ([email protected]) > (X11, KDE, Office)@FreeBSD team > > Facebook: http://www.facebook.com/fluffy.khv > twitter: fluffy_khv | skype: dima.panov | telegram: @dima_panov > IRC: fluffy@EFNet, fluffykhv@FreeNode > >
